We intentionally not support client side requests for security reasons.
We will allow that once we implement client tokens which have a different OAuth flow and will allow some interesting features with it.

However I believe this related to version 1 of the API which I believe required both Client ID and Client Secret to be exposed. In version 2, only the Client ID is required, but I’m still seeing a CORS error when attempting to call https://www.patreon.com/oauth2/authorize client-side.

Is this still a security concern and does this CORS block still need to be in place for the v2 API?